From 892d6a8f3a6459674bb555bf88b08ce3eb3eb8a5 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 11:53:19 -0500 Subject: [PATCH 01/12] eks lambda handler --- templates/eks-protection-stack.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/eks-protection-stack.yml b/templates/eks-protection-stack.yml index ee348b7..a59cdbd 100644 --- a/templates/eks-protection-stack.yml +++ b/templates/eks-protection-stack.yml @@ -164,7 +164,7 @@ Resources: project_name: !Ref CodeBuildProjectName artifact_bucket: !Ref StagingS3Bucket lambda_switch_role: !Ref EKSExecutionRoleName - Handler: lambda_function.lambda_handler + Handler: lambda.lambda_handler MemorySize: 128 Role: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${EKSExecutionRoleName} Runtime: python3.11 @@ -205,7 +205,7 @@ Resources: project_name: !Ref CodeBuildProjectName artifact_bucket: !Ref StagingS3Bucket lambda_switch_role: !Ref EKSExecutionRoleName - Handler: lambda_function.lambda_handler + Handler: lambda.lambda_handler MemorySize: 128 Role: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${EKSExecutionRoleName} Runtime: python3.11 From f661d8366a3f889b35e476e93a968da1a628ed9f Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 11:56:57 -0500 Subject: [PATCH 02/12] eks account current context --- templates/crowdstrike_init_stack.yaml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/templates/crowdstrike_init_stack.yaml b/templates/crowdstrike_init_stack.yaml index dd664e5..e31eb3b 100644 --- a/templates/crowdstrike_init_stack.yaml +++ b/templates/crowdstrike_init_stack.yaml @@ -77,7 +77,6 @@ Metadata: - EKSProtection - FalconCID - DockerAPIToken - - EventBusAccount - EventBusName - EventBridgeRoleName - EKSExecutionRoleName @@ -184,8 +183,6 @@ Metadata: default: Falcon CID DockerAPIToken: default: Falcon Docker API Token - EventBusAccount: - default: EKS Protection Account EventBusName: default: Name of EventBus EventBridgeRoleName: @@ -427,10 +424,6 @@ Parameters: NoEcho: true Description: Your Falcon Docker API Token Default: "DockerAPIToken" - EventBusAccount: - Description: The account to centralize EKS Protection resources. This account must be the Organization Management Account or a Delegated Administrator. - Type: String - Default: "111111111111" EventBusName: Type: String Description: Name of the centralized EventBus @@ -1388,7 +1381,7 @@ Resources: Environment: Variables: LOG_LEVEL: "INFO" - EVENTBUS_ACCOUNT: !Ref EventBusAccount + EVENTBUS_ACCOUNT: !Ref AWS::AccountId EKS_PROTECTION: !Ref EKSProtection Code: S3Bucket: !Ref StagingS3Bucket @@ -1491,7 +1484,7 @@ Resources: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName - ParameterKey: EventBusAccount - ParameterValue: !Ref EventBusAccount + ParameterValue: !Ref AWS::AccountId - ParameterKey: EventBusName ParameterValue: !Ref EventBusName - ParameterKey: CodeBuildRoleName @@ -1587,7 +1580,7 @@ Resources: - ParameterKey: EventBusName ParameterValue: !Ref EventBusName - ParameterKey: EventBusAccount - ParameterValue: !Ref EventBusAccount + ParameterValue: !Ref AWS::AccountId - ParameterKey: EventBusRegion ParameterValue: !Ref AWS::Region - ParameterKey: EventBridgeRoleName From e90cc6456679d800bf0cb19ff7e8a061c2fd4001 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 11:57:47 -0500 Subject: [PATCH 03/12] fix service managed stacksets --- templates/crowdstrike_init_stack.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/crowdstrike_init_stack.yaml b/templates/crowdstrike_init_stack.yaml index e31eb3b..1198957 100644 --- a/templates/crowdstrike_init_stack.yaml +++ b/templates/crowdstrike_init_stack.yaml @@ -1492,6 +1492,7 @@ Resources: - ParameterKey: PermissionsBoundary ParameterValue: !Ref PermissionsBoundary PermissionModel: SERVICE_MANAGED + CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: false @@ -1586,6 +1587,7 @@ Resources: - ParameterKey: EventBridgeRoleName ParameterValue: !Ref EventBridgeRoleName PermissionModel: SERVICE_MANAGED + CallAs: !If [ IsDelegatedAdmin, 'DELEGATED_ADMIN', 'SELF' ] AutoDeployment: Enabled: true RetainStacksOnAccountRemoval: true From 4bd422b9c36d62aa55aa57b736fc47b03f2a7fa3 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 12:01:25 -0500 Subject: [PATCH 04/12] eks root stacksets to stacks --- templates/crowdstrike_init_stack.yaml | 129 ++++++++------------------ 1 file changed, 41 insertions(+), 88 deletions(-) diff --git a/templates/crowdstrike_init_stack.yaml b/templates/crowdstrike_init_stack.yaml index 1198957..51ad522 100644 --- a/templates/crowdstrike_init_stack.yaml +++ b/templates/crowdstrike_init_stack.yaml @@ -1436,39 +1436,21 @@ Resources: Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${OrgIdLambdaFunctionName}:log-stream:* # EKS Protection - RootRolesStackSet: + RootRolesStack: + Type: 'AWS::CloudFormation::Stack' Condition: EnableEKSProtection - Type: AWS::CloudFormation::StackSet + DeletionPolicy: Delete + UpdateReplacePolicy: Delete Properties: - StackSetName: crowdstrike-eks-protection-root-roles - Capabilities: - - CAPABILITY_NAMED_IAM - AdministrationRoleARN: !GetAtt StackSetAdministrationRole.Arn - ExecutionRoleName: !Ref StackSetExecRole - Parameters: - - ParameterKey: CodeBuildProjectName - ParameterValue: !Ref CodeBuildProjectName - - ParameterKey: CodeBuildRoleName - ParameterValue: !Ref CodeBuildRoleName - - ParameterKey: EventBridgeRoleName - ParameterValue: !Ref EventBridgeRoleName - - ParameterKey: EKSExecutionRoleName - ParameterValue: !Ref EKSExecutionRoleName - - ParameterKey: StagingS3Bucket - ParameterValue: !Ref StagingS3Bucket - - ParameterKey: EventBusName - ParameterValue: !Ref EventBusName - - ParameterKey: PermissionsBoundary - ParameterValue: !Ref PermissionsBoundary - PermissionModel: SELF_MANAGED - StackInstancesGroup: - - DeploymentTargets: - AccountFilterType: NONE - Accounts: - - !Ref EventBusAccount - Regions: - - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-root-roles.yml + Parameters: + CodeBuildProjectName: !Ref CodeBuildProjectName + CodeBuildRoleName: !Ref CodeBuildRoleName + EventBridgeRoleName: !Ref EventBridgeRoleName + EKSExecutionRoleName: !Ref EKSExecutionRoleName + StagingS3Bucket: !Ref StagingS3Bucket + EventBusName: !Ref EventBusName + PermissionsBoundary: !Ref PermissionsBoundary EKSTargetRolesStackSet: Condition: EnableEKSProtection @@ -1508,68 +1490,39 @@ Resources: - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-target-roles-stackset.yml - RootEKSProtectionStackSet: + RootEKSProtectionStack: + Type: 'AWS::CloudFormation::Stack' Condition: EnableEKSProtection DependsOn: EKSTargetRolesStackSet - Type: AWS::CloudFormation::StackSet + DeletionPolicy: Delete + UpdateReplacePolicy: Delete Properties: - StackSetName: crowdstrike-eks-protection-root-protection - Capabilities: - - CAPABILITY_NAMED_IAM - AdministrationRoleARN: !GetAtt StackSetAdministrationRole.Arn - ExecutionRoleName: !Ref StackSetExecRole - Parameters: - - ParameterKey: StagingS3Bucket - ParameterValue: !Ref StagingS3Bucket - - ParameterKey: Backend - ParameterValue: !Ref Backend - - ParameterKey: Registry - ParameterValue: !Ref Registry - - ParameterKey: EnableKAC - ParameterValue: !Ref EnableKAC - - ParameterKey: CrowdStrikeCloud - ParameterValue: !Ref CSCloud - - ParameterKey: EventBusName - ParameterValue: !Ref EventBusName - - ParameterKey: OrganizationId - ParameterValue: !GetAtt OrgIdLambdaCustomResource.organization_id - - ParameterKey: FalconClientId - ParameterValue: !Ref FalconClientID - - ParameterKey: FalconClientSecret - ParameterValue: !Ref FalconSecret - - ParameterKey: KubernetesUserName - ParameterValue: !Ref KubernetesUserName - - ParameterKey: FalconCID - ParameterValue: !Ref FalconCID - - ParameterKey: DockerAPIToken - ParameterValue: !Ref DockerAPIToken - - ParameterKey: EKSExecutionRoleName - ParameterValue: !Ref EKSExecutionRoleName - - ParameterKey: CodeBuildProjectName - ParameterValue: !Ref CodeBuildProjectName - - ParameterKey: CodeBuildRoleName - ParameterValue: !Ref CodeBuildRoleName - - ParameterKey: VpcCIDR - ParameterValue: '10.192.0.0/16' - - ParameterKey: PublicSubnet1CIDR - ParameterValue: '10.192.10.0/24' - - ParameterKey: PublicSubnet2CIDR - ParameterValue: '10.192.11.0/24' - - ParameterKey: PrivateSubnet1CIDR - ParameterValue: '10.192.20.0/24' - - ParameterKey: PrivateSubnet2CIDR - ParameterValue: '10.192.21.0/24' - PermissionModel: SELF_MANAGED - StackInstancesGroup: - - DeploymentTargets: - AccountFilterType: NONE - Accounts: - - !Ref EventBusAccount - OrganizationalUnitIds: - - !GetAtt OrgIdLambdaCustomResource.eventbus_account_ou - Regions: - - !Ref AWS::Region TemplateURL: !Sub https://${SourceS3BucketName}.s3.${S3BucketRegion}.amazonaws.com/${SourceS3BucketNamePrefix}/templates/eks-protection-stack.yml + Parameters: + StagingS3Bucket: !Ref StagingS3Bucket + Backend: !Ref Backend + Registry: !Ref Registry + EnableKAC: !Ref EnableKAC + CrowdStrikeCloud: !FindInMap + - CloudMap + - !Ref CSCloud + - CrowdStrikeCloud + EventBusName: !Ref EventBusName + OrganizationId: !GetAtt OrgIdLambdaCustomResource.organization_id + FalconClientId: !Ref FalconClientID + FalconClientSecret: !Ref FalconSecret + KubernetesUserName: !Ref KubernetesUserName + FalconCID: !Ref FalconCID + DockerAPIToken: !Ref DockerAPIToken + EKSExecutionRoleName: !Ref EKSExecutionRoleName + CodeBuildProjectName: !Ref CodeBuildProjectName + CodeBuildRoleName: !Ref CodeBuildRoleName + SourceS3BucketNamePrefix: !Ref SourceS3BucketNamePrefix + VpcCIDR: '10.192.0.0/16' + PublicSubnet1CIDR: '10.192.10.0/24' + PublicSubnet2CIDR: '10.192.11.0/24' + PrivateSubnet1CIDR: '10.192.20.0/24' + PrivateSubnet2CIDR: '10.192.21.0/24' EKSEventBridgeStackSet: Condition: EnableEKSProtection From 03cecf774342405577093ea78a58cef36987c3aa Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 12:02:16 -0500 Subject: [PATCH 05/12] fix depends on --- templates/crowdstrike_init_stack.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/crowdstrike_init_stack.yaml b/templates/crowdstrike_init_stack.yaml index 51ad522..3d38c4a 100644 --- a/templates/crowdstrike_init_stack.yaml +++ b/templates/crowdstrike_init_stack.yaml @@ -1454,7 +1454,7 @@ Resources: EKSTargetRolesStackSet: Condition: EnableEKSProtection - DependsOn: RootRolesStackSet + DependsOn: RootRolesStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: crowdstrike-eks-protection-target-roles @@ -1526,7 +1526,7 @@ Resources: EKSEventBridgeStackSet: Condition: EnableEKSProtection - DependsOn: RootEKSProtectionStackSet + DependsOn: RootEKSProtectionStack Type: AWS::CloudFormation::StackSet Properties: StackSetName: crowdstrike-eks-protection-eventbridge From a4f3f0e7fa7594f35291e2404ea8752204fddf22 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 12:03:02 -0500 Subject: [PATCH 06/12] cloud map --- templates/crowdstrike_init_stack.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/crowdstrike_init_stack.yaml b/templates/crowdstrike_init_stack.yaml index 3d38c4a..8b68cfd 100644 --- a/templates/crowdstrike_init_stack.yaml +++ b/templates/crowdstrike_init_stack.yaml @@ -474,10 +474,13 @@ Mappings: CloudMap: us1: BaseURL: "https://api.crowdstrike.com" + CrowdStrikeCloud: us-1 us2: BaseURL: "https://api.us-2.crowdstrike.com" + CrowdStrikeCloud: us-2 eu1: BaseURL: "https://api.eu-1.crowdstrike.com" + CrowdStrikeCloud: eu-1 Conditions: CreateIOAResources: !Equals [ !Ref 'EnableIOA', true ] From 99d61278341db6095ff2720f10910a9ae9d063f5 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 12:06:07 -0500 Subject: [PATCH 07/12] update guide --- guide/content/deployment-steps.md | 1 - 1 file changed, 1 deletion(-) diff --git a/guide/content/deployment-steps.md b/guide/content/deployment-steps.md index 7f23c79..d6416cc 100644 --- a/guide/content/deployment-steps.md +++ b/guide/content/deployment-steps.md @@ -61,7 +61,6 @@ description: Deployment steps. * **FalconCID**: Your CrowdStrike Falcon CID with checksum. (eg. ********************************-ab) * **DockerAPIToken**: Your Falcon Docker API Token * **OrganizationId**: Your AWS Organization ID (eg. o-********) - * **EventBusAccount**: The account to centralize EKS Protection resources. This account must be the Organization Management Account or a Delegated Administrator. * **EventBusName**: Name of the centralized EventBus. Default is `crowdstrike-eks-eventbus` * **EventBridgeRoleName**: Name of the EventBridge IAM role. Default is `crowdstrike-eks-eventbridge-role` * **EKSExecutionRoleName**: Name of the Target Execution IAM role. Default is `crowdstrike-eks-execution-role` From 0ec93e4a252787bbfd71ec67162896300b60ae44 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 12:06:37 -0500 Subject: [PATCH 08/12] remove parameter --- .taskcat.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.taskcat.yml b/.taskcat.yml index c249bf1..b747509 100644 --- a/.taskcat.yml +++ b/.taskcat.yml @@ -24,7 +24,6 @@ tests: FalconSecret: $[taskcat_ssm_/crowdstrike/falcon_secret] DockerAPIToken: $[taskcat_ssm_/crowdstrike/falcon_docker_api_token] FalconCID: $[taskcat_ssm_/crowdstrike/falcon_cod] - EventBusAccount: $[taskcat_ssm_/crowdstrike/eventbus_account] SourceS3BucketName: $[taskcat_autobucket] S3BucketRegion: $[taskcat_current_region] ProvisionOU: $[taskcat_ssm_/crowdstrike/provision-ou] From 0e497f3db16a219d67e77f9d280bdaefc9157263 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 12:10:39 -0500 Subject: [PATCH 09/12] bump patch version --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 795460f..56130fb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v1.1.0 +v1.1.1 From ef0a6504eca1854ca2953fb76b94a4d290d2b697 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 29 Oct 2024 14:44:44 -0500 Subject: [PATCH 10/12] bump cs user agent --- lambda_functions/source/register-organization/lambda.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambda_functions/source/register-organization/lambda.py b/lambda_functions/source/register-organization/lambda.py index d7f58fd..72f447c 100644 --- a/lambda_functions/source/register-organization/lambda.py +++ b/lambda_functions/source/register-organization/lambda.py @@ -22,7 +22,7 @@ SUCCESS = "SUCCESS" FAILED = "FAILED" -VERSION = "1.0.0" +VERSION = "1.1.1" NAME = "crowdstrike-cloud-abi" USERAGENT = ("%s/%s" % (NAME, VERSION)) From 3f4f445297366129e4e6c24832fc60aa3bc9af69 Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 12 Nov 2024 12:45:06 -0600 Subject: [PATCH 11/12] disable scoutsuite --- .project_automation/functional_tests/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh index fda5377..012a6ee 100755 --- a/.project_automation/functional_tests/entrypoint.sh +++ b/.project_automation/functional_tests/entrypoint.sh @@ -30,11 +30,11 @@ run_test() { if [ -z "$1" ]; then echo "Running e2e test: ALL" taskcat test run -n - .project_automation/functional_tests/scoutsuite/scoutsuite.sh + # .project_automation/functional_tests/scoutsuite/scoutsuite.sh else echo "Running e2e test: $1" taskcat test run -n -t $1 - .project_automation/functional_tests/scoutsuite/scoutsuite.sh + # .project_automation/functional_tests/scoutsuite/scoutsuite.sh fi } From b03a0d9d0ebcef1bde82544bbde18954f414b09b Mon Sep 17 00:00:00 2001 From: Ryan Payne Date: Tue, 12 Nov 2024 17:09:34 -0600 Subject: [PATCH 12/12] remove flag --- .project_automation/functional_tests/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.project_automation/functional_tests/entrypoint.sh b/.project_automation/functional_tests/entrypoint.sh index 012a6ee..e247470 100755 --- a/.project_automation/functional_tests/entrypoint.sh +++ b/.project_automation/functional_tests/entrypoint.sh @@ -29,11 +29,11 @@ run_test() { unset AWS_DEFAULT_REGION if [ -z "$1" ]; then echo "Running e2e test: ALL" - taskcat test run -n + taskcat test run # .project_automation/functional_tests/scoutsuite/scoutsuite.sh else echo "Running e2e test: $1" - taskcat test run -n -t $1 + taskcat test run -t $1 # .project_automation/functional_tests/scoutsuite/scoutsuite.sh fi }